On 4/19/13 10:13 AM, "Tom Eastep" <[email protected]> wrote:
>On 04/19/2013 09:51 AM, Tom Eastep wrote:
>> On 04/18/2013 04:47 PM, Dash Four wrote:
>>
>>>> Let me think about it a while...
>>>>
>>> No problem, take your time - I know it isn't straight-forward, but I
>>> think it would be worth it in the end as there is a lot to be gained,
>>> certainly from a performance point of view.
>>
>> The attached small patch allows for incrementing an nfacct counter when
>> an IPSET is match.
>>
>> For some time, the following has been supported:
>>
>> +"["{<set>["["<src-dst-list>"]"]}[,...]"]"
>>
>> where "[" and "]" are square brackets while [ and ] are meta-symbols.
>>
>> The new syntax is:
>>
>> +"["{<set>["["<src-dst-list>"]"][(<nfacct-object-list>)]}
>> [,...]"]"
>>
>>
>> Your original rule list was:
>>
>> SECTION INPUT
>> NFACCT(all)
>> NFACCT(dmz_in) - +dmz-net
>>
>> SECTION OUTPUT
>> NFACCT(all)
>> NFACCT(dmz_out) - - +dmz-net
>>
>> SECTION FORWARD
>> NFACCT(all)
>> NFACCT(dmz_fwd) - +dmz-net
>> NFACCT(dmz_fwd) - - +dmz-net
>>
>> With this patch, you can now have:
>>
>> SECTION INPUT
>> NFACCT(all) - +[dmz-net(dmz_in)]
>>
>> SECTION OUTPUT
>> NFACCT(all) - - +[dmz-net(dmz_out)]
>>
>> SECTION FORWARD
>> NFACCT(all) - +[dmz-net(dmz_fwd)]
>> COUNT - - +[dmz-net(dmz_fwd)]
>>
>> This set of rules produces:
>>
>> -A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net \
>> src -m nfacct --nfacct-name dmz_fwd
>> -A accountfwd -m set --match-set dmz-net(dmz_fwd) dst
>> -A accountin -m nfacct --nfacct-name all \
>> -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in
>> -A accountout -m nfacct --nfacct-name all -m set --match-set \
>> dmz-net(dmz_out) dst
>>
>> One consequence of this patch is that now both 'set' and 'nfacct' go to
>> the end of the rule.
>>
>> Another thing to note is that this feature can be used anywhere that
>> ipsets are allowed; it is not restricted to the accounting file.
>>
>> Finally, the +[....] form must be used;
>> +<set>...(<nfacct-object-list>) is not supported.
>
>
>Please hold off on this for a while -- I just realized that it is
>incomplete.
Okay -- here is the complete patch.
This also allows the simple form:
Rules:
SECTION INPUT
NFACCT(all) - +dmz-net(dmz_in)
SECTION OUTPUT
NFACCT(all) - - +dmz-net(dmz_out)
SECTION FORWARD
NFACCT(all) - +dmz-net(dmz_fwd)
COUNT - - +dmz-net(dmz_fwd)
Which produce:
-A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net src
-m nfacct --nfacct-name dmz_fwd
-A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name
dmz_fwd
-A accountin -m nfacct --nfacct-name all -m set --match-set dmz-net src -m
nfacct --nfacct-name dmz_in
-A accountout -m nfacct --nfacct-name all -m set --match-set dmz-net dst
-m nfacct --nfacct-name dmz_out
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
IPSETACCT1.patch
Description: Binary data
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
